Gofiber Fiber Denial-of-Service Vulnerability in BodyParser Function

A denial-of-service vulnerability has been identified in the Gofiber Fiber web framework, specifically in versions 2.52.6 prior to 2.52.7. The issue arises in the `fiber.Ctx.BodyParser` method, which can map flat data to nested slices using a specific syntax. When a negative index is used, instead of returning an error indicating that the data cannot be processed, the function panics. This behavior can lead to server crashes for applications that rely on this parsing functionality.

Impact

Exploiting this vulnerability causes the server to panic and crash, disrupting service.

Reproduction

To reproduce this vulnerability, set up a Gofiber V2 server with a POST endpoint that uses the `fiber.Ctx.BodyParser` method to parse form data into a structured format. When the server receives a request with an invalid nested content index, such as a negative value, it will panic and crash. This can be tested using a tool like curl to send a form request that includes the negative index.

Remediation

Users can upgrade to Gofiber Fiber version 2.52.7, which addresses this vulnerability.